>
    Your Prisma Access License
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Activation and Onboarding
    4. Your Prisma Access License
    Download PDF
    Prisma Access

    Your Prisma Access License

    Table of Contents

    Your Prisma Access License

    Learn about Prisma Access licenses.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    Prisma Access offers a licensing model that allows you to implement and use the capabilities of Prisma Access aligned to your business needs in a way that delivers the fastest return on investment. Whether your applications are migrating to the cloud, your users are working from anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant type of license for your deployment.
    You can choose from the following license editions (more details are in the Prisma Access):
    • Business
    • Business Premium
    • Zero Trust Network Access (ZTNA) Secure Internet Gateway (SIG)
    • Enterprise
    Your Prisma Access license edition determines the security capabilities that are available to you. If you use any capability in security rules or profiles that is unsupported based on your license type, Prisma Access removes those configurations and those capabilities are not enforced in your Prisma Access tenants until you update Prisma Access with a license edition that supports those capabilities. To find the capabilities included with your license, refer to the Prisma Access.
    All license editions are available for Local and Worldwide Prisma Access locations. When you purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access locations. When you purchase a license with Local locations, you can select up to five Prisma Access locations.
    Prisma Access uses units in licenses, and uses the following definitions for a unit:
    • For mobile user deployments, a unit is defined as one mobile user. When you assign units in Prisma Access from your Mobile users license, each unit allows a mobile user to utilize Prisma Access—GlobalProtect, Prisma Access—Explicit Proxy, or both GlobalProtect and Explicit Proxy.
      Mobile Users who access apps using Clientless VPN are also counted as a unit for licensing purposes.
    • For remote network and Clean Pipe deployments, a unit is defined as 1 Mbps of bandwidth.
    When a Prisma Access license expires, you can still use the service and collect logs for 15 days after license expiration. You cannot make changes to configuration. Prisma Access shuts down its instances 15 days after license expiration and completely deletes the instances and tenants 30 days after license expiration.

    License Enforcement for Prisma Access Mobile User Deployments

    Learn how mobile user (GlobalProtect and Explicit Proxy) licenses are counted in Prisma Access.
    Prisma Access uses these enforcement policies for mobile user licenses:
    • Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 30 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur.
    • A Prisma Access Mobile User license allows you to use both GlobalProtect and explicit proxy connect methods. With a single Mobile User license, the user can connect with GlobalProtect, Explicit Proxy, or both.
    • If you use Prisma Access for users—GlobalProtect, the GlobalProtect app is required on each supported endpoint. The GlobalProtect app is not required for Mobile Users—Explicit Proxy deployments.

    Other Licenses to Use With Prisma Access (Managed by Panorama)

    See the other licenses that are required for Prisma Access (Managed by Panorama).
    In addition to the Prisma Access licenses, in order to run the service you must also have the following licensed components:
    • Panorama—You deploy and manage Prisma Access using the Cloud Services plugin for Panorama. In order to use this plugin, you must have Panorama with a valid support license. See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services plugin. When you license the Prisma Access components, you must tie the auth code to a licensed Panorama serial number.
    • Cloud Identity Engine (Directory Sync)—Cloud Identity Engine gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine is free and does not require a license to get started.
    • Strata Logging Service—The Prisma Access infrastructure forwards all logs to Strata Logging Service. You can view the Prisma Access logs, ACC, and reports directly from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Strata Logging Service license.

    Other Licenses to Use With Prisma Access (Managed by Strata Cloud Manager)

    These licenses are required with Prisma Access (Managed by Strata Cloud Manager):
    • Strata Cloud Manager (Required)Strata Cloud Manager supports two licensing tiers—Essentials and Pro. Essentials is available for free with a Prisma Access and Pro is available as an add-on. Both licenses unlock a range of network security features and management tools to optimize NGFW and Prisma Access operations.
    • Strata Logging Service (Required)Prisma Access logs are stored in Strata Logging Service, and so Prisma Access requires you to also have a Strata Logging Service license. It’s a good idea to activate Strata Logging Service before you begin activating Prisma Access. If you try to activate Prisma Access without first activating Strata Logging Service, Prisma Access will guide you to activate Strata Logging Service before allowing you to continue Prisma Access activation. Your Strata Logging Service instance and Prisma Access instance must be deployed in the same region.
    • Cloud Identity Engine (Directory Sync)—Cloud Identity Engine gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine is free and does not require a license to get started.
    • SaaS Security API—Integrate SaaS Security API with Prisma Access for Clientless VPN and authentication support.
    • Remote Browser Isolation (RBI)—Integrate RBI with Prisma Access to provide a browsing environment that isolates all malware, including zero-day attacks that result from browsing and web activity, away from your end users and your network.

    Prisma Access Add-On Licenses

    Learn about the add-on licenses that are provided by Prisma Access.
    You can add the following capabilities to use with Prisma Access as an add-on license:

    © 2025 Palo Alto Networks, Inc. All rights reserved.